The automotive industry is undergoing systemic change to contend with the advancing panacea of cyber threats. Juliet Elliot outlines a possible solution
In January 2021, a set of new regulations laid down by the United Nations Economic Commission for Europe’s World Forum for Harmonisation of Vehicle Regulations came into force. The intent behind these new regulations is to ensure the Type Approval process that approves vehicles for road use is brought up to date to account for the rapidly advancing automated, digital and software-based subsystems now common on most new vehicles.
One of these regulations, UN ECE 155, contends explicitly with vehicle cybersecurity and will require a wholesale reorganisation of the vehicle design process, the manufacturer’s engineering culture and the industry’s relationship with its customers. In some quarters, it is seen as the biggest shake-up of the industry in a generation – and the cost of non-compliance with the new rules will mean quite simply that vehicle manufacturers will not be able to sell their cars, vans, trucks or buses.
The Evolving Cyber Threat
Influencing factors such as driver utility and safety kick-started the transition of road vehicles from a predominantly mechanical foundation towards integrated electromechanical systems at an accelerating rate from the mid-1980s onwards. However, while onboard data processing was increasing, the vehicle system remained isolated until the advent of low-cost data transmission via cellular communications. Today, the exponential advance of vehicle ECUs, increasing use of data-driven onboard processes and the rise of high-speed wireless data transmission have accelerated this transition. Meanwhile, the more recent rise of electric drivetrains is reducing the reliance of vehicles on mechanically complex subsystems such as the internal combustion engine. In short, vehicle content is now skewed in favour of electronic – as opposed to mechanical – systems. In 1980, according to Deloitte Touche Tohmatsu, electronic systems represented 10% of total vehicle costs. By 2030, it is expected to represent half of the forecourt cost of the average car.
From a cybersecurity perspective, however, this transition to electronic and data-dependent vehicle systems is reflected in more than just cost, such as production-car models with a complex array of features including ADAS, requiring 150 microprocessor ECUs that generate in the order of 1TB of data per day of operation.
The rate of increase of in-vehicle data volume adheres to a growth projection not dissimilar to Moore’s Law, with the number and sophistication of situational sensors for automated vehicles creating a forecasted total sensor bandwidth of up to 40Gbit/second, equivalent to 18TB of data processing per hour for smart vehicles coming into production. Not only do the volumes of data present risk, but the processing of raw data into systems, commands and actions also presents opportunities for unwarranted manipulation.
While onboard data processing rapidly scales, 5G/6G connectivity will progressively allow a proportion of these increasing volumes of data to be moved off the vehicle in situations where it provides some utility in being shared. As sensor data rates grow, current estimates for UK vehicle data transmission by 2030 exceed 14,000 Exabytes (where 1EB = 1018 Byte).
The growth in scope of electronic control functions, the volume of data processed on board vehicles and its propensity to be transmitted from vehicle-to-vehicle or vehicle-to-infrastructure is the backdrop against which the increasing challenge of cybersecurity is evolving.
The Threat Agents
With the wider, longer and deeper data sandbox that vehicles now present, the scope for malfeasance has increased exponentially – but Regulation 155 aims to shut down this growing threat window.
Cybersecurity engineering experts at Horiba MIRA have identified a number of threat agent categories with varied motivations including dishonest drivers seeking personal advantage, dishonest competitors seeking to damage the brand reputation of their rivals, and even organised crime groups and rogue states aiming to achieve large-scale disruption or harm to society. Additionally, curious hobbyists in pursuit of a challenge also need to be taken into consideration. Consequently, the malicious intent will be varied, as will the financial and technical resources available to different categories of threat agents to mount cybersecurity attacks.
A vehicle’s interfaces provide opportunities for compromising personal and financial data, as well as impacting vehicle-control systems, which manage primary inputs to throttle, braking or steering, presenting a threat to the physical safety and security of road users. More indirect attacks could include adjusting the radio volume or actuating the motors to move the driver’s seat to cause distraction. Other examples include unexpected acceleration due to adaptive cruise-control speed targets being increased, the recording and replay of keyless entry transmissions to facilitate theft, the broadcast of false vehicle-to-infrastructure messages to disrupt traffic, or spoofing or jamming GNSS signals to disguise or hide a vehicle’s location.
The Same. But Different
Cybersecurity experts have witnessed the experience of the IT industry that suffered considerable and widespread disruption as levels of interconnectivity grew, with unforeseen motivations and a diversity of methods and approaches to institute attacks. If anything can be learned from the evolution of cybersecurity in the IT sector, it is to expect the unexpected. But as far as the IT industry can be used as an example, the solutions employed to counter cyber attacks unfortunately do not translate back into the automotive sector.
The primary reasons why the automotive domain is significantly different to the usual understanding of cybersecurity is because threats to computer systems rarely precipitate physical harm to victims; the same is not true of automotive cybersecurity which must contend with this particular threat dimension not just to road users, but also to any third parties in proximity to the traffic infrastructure. Moreover, the manipulation of onboard sensors and external data sources may falsely modify a vehicle’s awareness of its surroundings. This type of attack is not amenable to traditional intrusion-based IT approaches, as there is no direct interference with the onboard systems and the vehicle cannot distinguish between real or spoofed inputs.
A Now Thing
Once Regulation 155 is adopted into national legislation, it becomes a binding obligation through the Type Approval process in each market – and without Type Approval, vehicles cannot be sold. Several markets have announced timelines for implementing the regulation. Japan will be one of the earlier adopters, with requirements forming part of national regulations already in place from late 2020. The EU is scheduled to implement the regulation for new vehicle model Type Approvals from July 2022, extending to cover all new vehicle registrations by July 2024. Compliance is therefore commercially critical, not just for original equipment manufacturers, but all businesses supporting the automotive supply chain.
Regulation 155 sets out requirements for vehicle manufacturers to establish and maintain cybersecurity; however, as a goal-based framework, Regulation 155 is not prescriptive and does not stipulate the process by which vehicle manufacturers must achieve compliance with the regulation to meet the relevant national requirements. Due to the enormous variation in vehicle types and models and component sub- and control systems, it is impossible to develop a codified and finite set of requirements. This form of the goal-based framework makes compliance more complex, presenting a significant challenge considering that the costs of failure could be profound for the industry.
In summary, however, Regulation 155 will require that:
- Manufacturers will have to implement an independently audited cybersecurity management system, or CSMS, for vehicles to gain Type Approval;
- Manufacturers will have to demonstrate that new vehicles have been developed in accordance with the CSMS and fulfil a set of cybersecurity requirements;
- The manufacturer’s stewardship of the CSMS will apply for the entire vehicle lifecycle and is not solely applicable at the date of sale, which introduces a need for in-field monitoring and issue resolution;
- The Type Approval obligations rest with the vehicle manufacturer but will extend across the entire automotive supply chain to include tier suppliers who contribute to OEM designs.
Changes To Design Engineering
The automotive sector has a strong tradition of safety engineering that will need a significant rethink in lieu of the new regulation. This culture commonly conflates cybersecurity with safety. While some cybersecurity attacks result in safety compromises, many do not. Financial fraud perpetrated via road-charging systems, or the invasion of privacy through illicit data acquisition, including vehicle tracking or eavesdropping on keyless entry transmissions to enable theft, are just a few examples of the scope of cybersecurity that sits beyond the traditional domain of safety-led engineering.
With a rising threat potential and multiple motivations, vehicle manufacturers might be tempted to seek solutions from existing systems engineering approaches. However, while cybersecurity might appear to be a logical adjunct to Functional Safety and the Safety of Intended Functionality (SOTIF), it is in fact inherently different. Its domain is far wider than addressing malfunctions that are central to Functional Safety or even the reasonably foreseeable misuse that is inherent to SOTIF; it is rather the intentional abuse that characterises cybersecurity attacks and shifts the goalposts beyond mere safety considerations. This is why practitioners, as much as executives, in the industry need to develop solutions expressly focused on cybersecurity, rather than placing reliance on best practice from IT or using established systems engineering procedures that do not scale to the challenge in hand.
As a consequence of these paradigm shifts, the automotive industry’s safety-based engineering tradition will not scale to meet the demands of cybersecurity. The threats are multifarious, the affected parties far more extensive and the sources with which engineered solutions must contend are not passive, but rather rich with intent.
If this does not provide manufacturers with sufficient motivation to review their approach to cybersecurity, other new standards will demand evidence of an upstream ‘security by design’ methodology in engineering practice. Culturally, the shift in emphasis will also have to respond to an entire product lifecycle duty of care to the customer. As the cybersecurity threat landscape is dynamic and new attacks and vulnerabilities will emerge over time, vehicle manufacturers will be obliged to design and manage systems that detect and respond to new threats until the vehicle completes its operational lifecycle.
With such a long duty of care, manufacturers will, for the first time, have to look beyond the extent of a mechanical warranty plan or the first change of ownership of a vehicle, when their obligations have historically lapsed. This prompts a need for dependable over-the-air update technologies to patch vehicles with responses to new threats and a full capability to monitor and respond to cybersecurity threats to the OEM’s fleet.
The solution proposed by Horiba MIRA’s cybersecurity engineers is the development of a Vehicle Security Operations Centre (VSOC). Similar to a conventional IT Security Operations Centre, a VSOC is a mobility-grade combination of tools, processes and personnel to monitor, detect and respond to cybersecurity events and attacks throughout the entire lifecycle of a vehicle, while taking into account the distinct nature, diversity and scale of cyber liabilities that vehicles present. A suitably configured VSOC could provide unified security with converged monitoring, detection and response covering the vehicle, IT and operational technology (OT) domains and will account for the rapid increases in vehicle functionality and connectivity.
Horiba MIRA’s engineers were active contributors to the development of Regulation 155 and the related SAE standard, 21434. The company has teamed up with telecoms provider BT and has spent the last three years preparing to make a VSOC a reality, ready for when the rules start coming into force in Europe this July.